Phishing attacks: Prevent them with staff education or mitigate the impact with cyber insurance?

Since January 2016, world-famous companies like Seagate Technology, FACC, Snapchat, and Weight Watchers International have been targeted by phishing attacks (or whaling attacks, a variant of phishing) which have tricked unwitting employees into wiring huge sums of money or sending personal information such as HR and tax data.

More than 90% of cyber attacks begin with emails and whaling campaigns, and are becoming more aggressive, as Mimecast recently revealed. The fraudulent business generated by cyber criminals through whaling attacks has accounted for $2.3 billion over the last three years, pushing even federal agencies like the FBI to take action and protect users.

Will cyber insurance policies pay out for social engineering attacks?

There is much debate around this question. On the one hand, social engineering techniques are difficult to qualify as cyber attacks, making it difficult for insurers to quantify fair compensation and compare different cases. On the other hand, there is always the ghost of insurance fraud: How can the insurer be sure that the tricked staff member was not aware of the cyber criminals’ plan?

This uncertainty is reflected by the data: Only 10% of companies with cyber insurance think that their policy covers social engineering attacks, leaving around 57% of firms uncertain if their insurer will pay out for whaling attacks.

Prevention is better than cure

Even if a cyber insurance policy makes companies sleep soundly at night, eradicating the problem at its roots is a better solution. Employees are the gateway to the company’s system and data: The more they know about cyber attacks and how to defend against them, the lower the risk of data breaches or security incidents. But companies are far from understanding the benefit of staff education and, as a consequence, they are not investing in it: Only 35% of IT professionals feel ready to defend against phishing attacks. The number one reason not to invest in staff training is usually lack of budget.

But with IT Governance’s e-learning training courses, even large organizations can train their whole staff at an affordable price – less than $15 per employee. The Phishing Staff Awareness e-learning course has been specially developed to raise awareness about email-based attacks and social engineering threats. It uncovers tips and tricks to identify phishing emails, as well as social engineering tactics and scams that might trick employees and cause security incidents.